Linux Host Intrusion Detection Playbook (CLI)

Introduction: The Need for Effective Linux Host Detection Capabilities

Linux-based systems are a cornerstone of modern enterprise IT infrastructure, powering critical applications, cloud environments, and high-performance computing. However, as their adoption grows, so does their attractiveness to threat actors seeking to exploit misconfigurations, unpatched vulnerabilities, and weak access controls. Unlike traditional Windows-based threats, Linux-specific attack techniques often involve fileless malware, rootkits, privilege escalation exploits, and living-off-the-land (LotL) techniques that can evade conventional security controls.

Effective Linux host detection capabilities and processes are essential for identifying and mitigating threats before they lead to unauthorised access, data exfiltration, or system compromise. A robust detection strategy should include real-time monitoring of system logs, process execution tracking, anomaly-based behaviour detection, and integration with Security Information and Event Management (SIEM) platforms. Additionally, leveraging Extended Detection and Response (XDR) and proactive threat-hunting techniques tailored for Linux environments enhances an organisation’s ability to detect sophisticated attacks.

To stay ahead of adversaries, security teams must implement continuous visibility, forensic capabilities, and automated response mechanisms for Linux hosts. By developing a well-structured detection framework, organisations can strengthen their overall security posture, minimise downtime, and effectively counter advanced threats targeting Linux infrastructure.

Initial Compromise Detection
- Detect Suspicious Processes
- Identify Exploited Services
- Advanced Suspicious Command Detection
Persistence Mechanisms
- Detect Cronjob Modifications
- Monitor SSH Key Additions
- Advanced Persistence Detection via Startup Scripts
Privilege Escalation and Credential Theft
- Detect Sudo Abuse
- Credential Dumping Attempts
- Advanced Kernel Exploit Detection
Lateral Movement Detection
- Detect SSH Lateral Movement
- Monitor File Transfers via SCP or Rsync
- Advanced Detection of Exploited Protocols
Data Exfiltration Indicators
- Large Data Transfers via Network
- Use of Compression Tools
- DNS or HTTPS Exfiltration
Post-Incident Investigation
- Correlation of File Hashes
- Compromised User Accounts
- Incident Timeline Reconstruction
Conclusion

This playbook provides a structured approach to investigating Linux-based intrusions on a host system. Each section focuses on specific detection and analysis phases using advanced queries and techniques. The focus is on using the commandline options

1. Initial Compromise Detection

The first step is identifying the initial point of compromise, often involving malicious processes or exploited services.

Query Option 1: Detect Suspicious Processes

ps aux --sort=-%cpu,-%mem | awk '{if($3>20.0 || $4>20.0) print $0}'

Description: Lists processes consuming abnormally high CPU or memory, which could indicate malicious activity. Results include process details and resource usage.

Query Option 2: Identify Exploited Services

sudo netstat -tulnp | grep -E '(:22|:80|:443)'

Description: Identifies active listening services on common ports (SSH, HTTP, HTTPS) and links them to associated processes. Useful for spotting compromised services.

Query Option 3: Advanced Suspicious Command Detection

journalctl -u ssh | grep -iE '(Accepted|Failed password|root login)'

Description: Searches SSH logs for signs of brute force or unauthorised access attempts. Results display timestamps, IP addresses, and access outcomes.

2. Persistence Mechanisms

Attackers often use persistence techniques to maintain access.

Query Option 1: Detect Cronjob Modifications

cat /etc/crontab /etc/cron.*/* | grep -v '^#'

Description: Extracts all active cronjobs, which may reveal malicious scripts scheduled for execution. Results show cronjob commands and schedules.

Query Option 2: Monitor SSH Key Additions

find /root/.ssh /home/*/.ssh -name authorized_keys -exec ls -l {} \;

Description: Tracks additions to SSH authorised_keys files, often used for persistence. Results display file details and timestamps.

Query Option 3: Advanced Persistence Detection via Startup Scripts

find /etc/init.d /etc/systemd/system /etc/rc.d -type f -exec grep -i malicious_keyword {} +

Description: Scans startup scripts for suspicious keywords indicative of malicious persistence. Results include file paths and matching lines.

3. Privilege Escalation and Credential Theft

Detecting privilege escalation and credential theft attempts is crucial to mitigating further damage.

Query Option 1: Detect Sudo Abuse

cat /var/log/auth.log | grep 'sudo:' | grep 'COMMAND'

Description: Extracts logs of sudo command usage, revealing potential abuse of elevated privileges. Results include command details and users.

Query Option 2: Credential Dumping Attempts

grep -iE '(hashcat|john|mimikatz)' ~/.bash_history

Description: Searches shell history for usage of credential-dumping tools. Results display command-line activities.

Query Option 3: Advanced Kernel Exploit Detection

dmesg | grep -iE '(exploit|segfault|ptrace)'

Description: Analyses kernel logs for signs of exploit attempts. Results include timestamps and kernel messages.

4. Lateral Movement Detection

Attackers often spread across the network after the initial compromise.

Query Option 1: Detect SSH Lateral Movement

cat /var/log/auth.log | grep 'Accepted publickey'

Description: Identifies SSH logins using public key authentication. Results include IP addresses, usernames, and timestamps.

Query Option 2: Monitor File Transfers via SCP or Rsync

lsof -i :22 | grep 'ssh'

Description: Tracks file transfer activities over SSH. Results display active SSH sessions and file operations.

Query Option 3: Advanced Detection of Exploited Protocols

sudo tcpdump -i eth0 'port 22 or port 111' -vv

Description: Captures network traffic on ports commonly exploited (e.g., SSH, RPC). Results include packet details and connection attempts.

5. Data Exfiltration Indicators

Signs of data exfiltration should be promptly identified to mitigate loss.

Query Option 1: Large Data Transfers via Network

sudo iftop -i eth0 -n -P

Description: Monitors real-time network traffic for large outbound data transfers. Results include source and destination IPs and transfer sizes.

Query Option 2: Use of Compression Tools

find / -name '*.zip' -o -name '*.tar.gz' -exec ls -l {} \;

Description: Searches for recently created compressed files, often used for exfiltration. Results display file details and timestamps.

Query Option 3: DNS or HTTPS Exfiltration

sudo tcpdump -i eth0 'port 53 or port 443' -vv

Description: Analyses DNS or HTTPS traffic for unusual patterns indicative of exfiltration. Results include packet details and domain names.

6. Post-Incident Investigation

Once the threat is contained, further investigation can determine the scope and impact.

Query Option 1: Correlation of File Hashes

find / -type f -exec sha256sum {} + | grep -f known_hashes.txt

Description: Compares file hashes across the system to known malicious hashes. Results include file paths and matching hashes.

Query Option 2: Compromised User Accounts

cat /var/log/auth.log | grep 'Invalid user'

Description: Identifies login attempts targeting non-existent or disabled accounts. Results include usernames, IP addresses, and timestamps.

Query Option 3: Incident Timeline Reconstruction

ausearch -ts recent -m EXECVE,CONNECT -i

Description: Creates a timeline of executed commands and network connections. Results include detailed events with timestamps.

Conclusion

This playbook provides a good approach to detecting and analysing Linux-based intrusions on a host machine. However, in some circumstances, the investigation requires going beyond a single host. On these occasions, refer to the Playbook: Investigating Linux Intrusions Across an Enterprise.

PreviousWindows Malware Detection Playbook NextLinux Intrusion Detection Playbook

Last updated 2 months ago